blog.dornea.nu

Hack, code and drink some țuică. Personal blog of Victor Dorneanu.

HowTo: iOS Apps - Static analysis

In this short article I'll try to explain what are the main steps to analyze an iOS app. Since I've writen similar posts related to Android I thought I could devote some of spare time writing about the steps required to analyze iOS apps/binaries. But first of all let's start with:

Now that you roughly know what an iOS app is let's have a look at the most common blackbox pentesting tools out there. In this post I'll focus only on static analysis. Dynamic analysis (also known as runtime analysis) will be covered in a future post.

Sometimes you'll get an application that is built for multiple architectures. These applications then consist of multiple Mach-O files and are called fat or universal binaries. Mach-O fat binaries not only group completely different CPU architectures (PowerPC, Intel) but also 32- or 64-bit versions of an architecture. Besides that you'll also get different CPU subtypes bundled in one binary. The device running the binary will choose the "part" of the binary it can best support. Also have a look at this great article.

Load commands

The load commands are located directly after the header and specify the logical structure of the binary (as a file) and it's representation in the virtual memory (using offsets). Besides that you'll be able to get:

the symbol table

shared library details

For my understanding it's pretty much the same as ELFs segments and sections:

Load commands also define whether an application is encrypted or not. To have a look at the those run:

# otool -Vl BINARY
...

Raw segment data

In the Mach-O file you'll also have raw data for the segments specified in the load commands. One segment can consist of multiple sections.

Runtime protection features

iOS has several mechanisms which prevent application from being compromised at runtime. In order to understand the security issues that affect iOS applications, it is important to understand and to known the security features of the platform. The main security features of iOS are:

Code signing

Ensures that all applications come from a approved source (using Apple-issued certificates)

Keeping all this stuff in mind, let's pickup some binary and go for it.

Analyzing the binary

Comparing Android to iOS I must admit you'll have to overcome more (technical) challenges for a successful analysis. iOS uses binary files (instead of bytecode). Having that said I'll be using otool (which seems to be the equivalent to readelf) to inspect the binary.

Dangerous functions

Beside the previosly mentioned symbols we can also seek for symbols aimed at (classical) memory management mechanisms like malloc and free. Their presence indicate that the application has its own memory management which is the opposite to ARC. While this is not always a bad thing it could easily lead to some memory related vulnerabilities if not handled properly.

Understand the App

Now that we have examined the binary we should proceed and try to "understand" the application. This means we have to look at it from a logical perspective and identify its main components. Afterwards one can go into detail and analyze only certain parts of the application which might be of interest.

Every class name seems to be encrypted. That's a good hint you should decrypt the binary in case you haven't done so yet.

Decrypt binary

Since every application downloaded from the AppStore is encrypted using Apple's FairPlay DRM you'll have to decrypt them before starting your analysis. For this step I'll be using clutch to dump the relevant data from memory to disk.

Disassemble binary

I don't want to be too specific and go into too much detail. A good disassembler could save you a lot of time. I really like Hopper because it's free and easy to use. For the geeks out there feel free to throw your binary into IDA and let the bin rock. Particularly noteworthy is also radare2 which is unix-like reverse engineering framework.

Conclusion

Binary analysis can be a hell of a lot of fun if you have the right tools. Especially when you're not used to Apple's universe and don't have a Mac OS machine it could be useful to jailbreak your smartphone/tablet and install your tools there. Gather as much information as you can get to get a pretty precise image of what you're dealing with. Disassemble your binary to get more in "contact". Afterwards run it and do some runtime analysis.